34.0.0 Boulder Opal
IR
552787
CloudBasic
18:21:59
13/01/2022
P0_00122.doc
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
9b56693e37a46a7083049d26043c1e49
ebbdaf2a87d12a423e9e89ca66f6381d6e13393e
4369a2729f0a74892b91cc750e3e9faab1e392aa09e60525cc45f5259c74343b
Rich Text Format (5005/1) 55.56%
true
false
false
false
100
0
100
5
0
5
false
C:\Program Files (x86)\SMTP Service\smtpsvc.exe
false
62CE5EF995FD63A1847A196C2E8B267B
114706D7E56E91685042430F783AE227866AA77F
89F23E31053C39411B4519BF6823969CAD9C7706A94BA7E234B9062ACE229745
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\plugmanzx[1].exe
true
33C0D67BEFA115099A9136F837D11CC9
843FAD90B9BECB0457824CBAEABC3899FC055BEA
1FD93F45DDBE62337F2B72E31E6A82880BC0581430ABEAEBDA88AC1F58272210
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{68E37369-07A5-4DAF-B360-5250F0AAA6E9}.tmp
true
89837A65E88F34BA933D96AAA91DC885
35663B980D580F4E75DA813FC8B561A4580E12D3
4D6724D9F5405D1F724D5616BEF7DC34825CCA21F061F2BF1D9C5E2CC9752302
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3FB9168D-43F2-40D2-AFBC-6B32481207BC}.tmp
false
5D4D94EE7E06BBB0AF9584119797B23A
DBB111419C704F116EFA8E72471DD83E86E49677
4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9028E283-917F-4BAA-8392-C7BA4366CE6B}.tmp
false
622AB7D97D324E95B7FB047F98732CD2
89DFD5BEB5CA00302FE2721591E60A9E4684F82F
F2F1B59FE46A80A0E53D2720BB5E882ABB5B7AE706F1D017A5ED569ED8565EF2
C:\Users\user\AppData\Local\Temp\tmp1B2F.tmp
true
96705A665B7D175425A1735D04F7312C
04006353482F1DD7C41F2203B5A37DEBB82D6062
D278011F02AFA970B2112285439569E53D45864360B6E49302D97EDE912B99C3
C:\Users\user\AppData\Local\Temp\tmp39FF.tmp
false
CFAE5A3B7D8AA9653FE2512578A0D23A
A91A2F8DAEF114F89038925ADA6784646A0A5B12
2AB741415F193A2A9134EAC48A2310899D18EFB5E61C3E81C35140A7EFEA30FA
C:\Users\user\AppData\Local\Temp\tmp412F.tmp
false
8CAD1B41587CED0F1E74396794F31D58
11054BF74FCF5E8E412768035E4DAE43AA7B710F
3086D914F6B23268F8A12CB1A05516CD5465C2577E1D1E449F1B45C8E5E8F83C
C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\Exceptions\1.2.2.0\da0a22967d69764878492dcdfafebb2b.dat
false
B9263FB7877BA057862BFB1E7A4C3037
73F3A9E9641403FA3733F99525E12A7D06106034
C85D449728519CD1A01AF0704154DBFE531B71C6A7EEB5A06EAE14E5ECE31D7A
C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\catalog.dat
false
32D0AAE13696FF7F8AF33B2D22451028
EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\run.dat
true
00028BF1ABD3EECFFA01D721C29D0048
8949D2AB807B97618C56F25D25FB6636D14B6134
C47FFAADC73B46AD2EA10A4FC2108E35E88EA5F0B3552606A87305E2AAB13B7F
C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\storage.dat
false
7E8F4A764B981D5B82D1CC49D341E9C6
D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
C:\Users\user\AppData\Roaming\EA860E7A-A87F-4A88-92EF-38F744458171\task.dat
false
08E799E8E9B4FDA648F2500A40A11933
AC76B5E20DED247803448A2F586731ED7D84B9F3
D46E34924067EB071D1F031C0BC015F4B711EDCE64D8AE00F24F29E73ECB71DB
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\P0_00122.LNK
false
3BD2CECB003C8B93B379DC5C30F5A4F8
EFD9DB1F4909773A7C5C825A602F891244C65B6F
AD1FA8ED4B3ED09302BFA5B6133521D6DABB8210F83DEB50B8AF102DA4E95DBC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
false
8520F138FC0E78A59174FB4A4CCD4BCD
63249D4E73DDAA5C472BF22D36A9CF5EC0C738E6
7E3138353E311BF6D08C5675ACA3323502EE672F8838A1C01AAD56CB15D837E8
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
false
45B1E2B14BE6C1EFC217DCE28709F72D
64E3E91D6557D176776A498CF0776BE3679F13C3
508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8BC7PPIC80D40DHBNKNO.temp
false
C982B26CAD7E4189F6EAEFC806056985
AE83FFEF54FE77504A42FD2AB6E6B59B044C5761
32E5D145B5553F909EEFC97A8C56D969899FF9AC108984716AC4FCF681AACB16
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)
false
C982B26CAD7E4189F6EAEFC806056985
AE83FFEF54FE77504A42FD2AB6E6B59B044C5761
32E5D145B5553F909EEFC97A8C56D969899FF9AC108984716AC4FCF681AACB16
C:\Users\user\AppData\Roaming\RlKeHhAgpZws.exe
true
33C0D67BEFA115099A9136F837D11CC9
843FAD90B9BECB0457824CBAEABC3899FC055BEA
1FD93F45DDBE62337F2B72E31E6A82880BC0581430ABEAEBDA88AC1F58272210
C:\Users\user\AppData\Roaming\plugmahm65898.exe
true
33C0D67BEFA115099A9136F837D11CC9
843FAD90B9BECB0457824CBAEABC3899FC055BEA
1FD93F45DDBE62337F2B72E31E6A82880BC0581430ABEAEBDA88AC1F58272210
C:\Users\user\Desktop\~$_00122.doc
false
45B1E2B14BE6C1EFC217DCE28709F72D
64E3E91D6557D176776A498CF0776BE3679F13C3
508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
103.153.78.234
2.58.149.41
127.0.0.1
paxz.tk
true
2.58.149.41
obeyice4rm392.bounceme.net
true
103.153.78.234
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: EQNEDT32.EXE connecting to internet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: NanoCore
Yara detected AntiVM3
Allocates memory in foreign processes
Detected Nanocore Rat
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
Antivirus detection for URL or domain
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Antivirus detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Found malware configuration
Writes to foreign memory regions
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Malicious sample detected (through community Yara rule)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Sigma detected: File Dropped By EQNEDT32EXE
C2 URLs / IPs found in malware configuration
Multi AV Scanner detection for dropped file